For Financial Services, A New Approach to Incident Response is Essential

Click here to listen to this article via the BreachRx Blogcast

The financial services industry faces the most brutal onslaught of cyber threats in the world, with attacks continuously escalating in sophistication, frequency and impact. Data breaches, operational disruptions, and financial losses plague the sector, costing billions annually. However, many financial institutions still rely on outdated, reactive approaches to cyber incident response including focusing too narrowly on paper incident response plans, static procedures, and an overfocus on cybersecurity response processes to the detriment of the vast majority of incident expenses, which fall on other parts of the organization. This leaves them woefully unprepared to deal with attacks.

Nearly 75% of 130 global financial institutions experienced at least one ransomware attack within the past year, according to a Commissioner at the US Commodity Futures Trading Commission (CFTC), along with ongoing news of several high-profile breaches and incidents. Due to their use of large amounts of sensitive customer data and access to financial resources, businesses in the sector are under the gun. This has caused alarm among regulators and lawmakers around the world who are now desperately seeking new ways to drive financials and their suppliers to better protect systems and data against such threats.

To survive, financial firms, including banks, credit unions, and investment firms, must move from managing reactively to focusing on proactive resilience. Institutions need to diversify planning and practice to meet the breadth of threats and potential attacks, as well as ensure compliance, all while providing an umbrella of legal privilege to protect their people. To that end, it is more crucial than ever for financial services businesses to have effective incident response programs in place, especially given the series of significant events and data breaches over the last few years. Their teams should be able to 1) handle breadth of attacks, 2) incorporate all business units, and 3) quickly assemble and mitigate potential impacts.

Current strategies and common approaches are not enough. Ultimately, financial institutions must do more to mitigate the myriad risks of cybersecurity incidents, especially given the inevitable incident is just around the corner. Much like most other areas in security that have benefited from significant technology development in the last two decades, teams need to adopt the latest approaches to comprehensively automating and customizing their approach to cyber incident response. Evolving will enable teams to protect their organizations from the impact of repeated incidents and data breaches.

Data Breaches in the Financial Services Industry

Data breaches are rampant in finance. Financial data breaches accounted for nearly a thousand breaches and over 153 million leaked records from January 2018 to June 2022. That’s half the US population, just for these breaches. Financial organizations are heavily targeted by cybercriminals, making up 22.4% of observed cyber attacks in 2021 and maintaining second most-targeted at 18.9% last year. Most troubling is the acceleration in attacks, with the number of victims of breaches rising 41.5% in a single year, according to the Identity Theft Research Center (ITRC). 

Firms in financial services face a wide range of attacks. Criminals use phishing, ransomware, and zero-day attacks to infiltrate systems, acquire sensitive information, and capture funds. Verizon’s annual data breach investigations report (known as the DBIR) identified that 82% of breaches involve the human element, including errors, misuse, phishing, and stolen credentials. And distributed denial of service (DDoS) attacks are commonly used to disrupt operations and even distract security personnel during multi-prong attacks. In fact, the sector was targeted by 25% of all DDoS attacks in 2021. Ransomware groups now steal financial data to demand higher ransoms, knowing the regulatory scrutiny, cyber insurance limitations, and customer impacts financial firms face from their attack. “A 2022 survey of 130 global financial institutions found that 74% experienced at least one ransomware attack over the past year,” noted a CFTC commissioner.

Many teams incorrectly presume that large US banks are the primary target of attackers; in fact, attacks on smaller organizations occur frequently but often stay below the radar of news organizations given their size. The Thales EMEA report indicated 37% of its research respondents had a data breach in the prior 12 months, with 52% having at least one in their company history. Similarly, RSM notes 22% of middle market companies had a breach in the last year. Small banks are a common target of attacks because of their perceived lesser investment in security. Yet in most cases, they face the same sophisticated attacks including ransomware, data theft, and DDoS attacks as large banks. And financial institutions around the world face attacks of similar size and complexity.

Over the last few years, attackers have broadened their attacks and targeted the partners, vendors, suppliers, and supply chains of financial institutions–per the ITRC, there were 40% more supply chain attacks in 2022 than the prior year. The consequences from the impact of these attacks is further compounded in the financial sector by high supplier and institutional interdependencies. The Fed detailed the consequences of how a successful major attack on a top five bank would impact many others.

A recent attack from earlier this year further demonstrates this point. A small data business headquartered in Ireland known as Ion Markets suffered a ransomware attack. The company was working with dozens of European and American firms however, and the attack not only disrupted Ion’s customers, some of which were forced to revert to paper ledgers, it impacted the government’s ability to collate trader’s positions in the market. The CTFC noted suppliers and supply chains are a “major source of [new] risk” because in many cases they are outside regulators purview (although that is rapidly changing).

Moving forward, as reported by the Financial Services Information Sharing and Analysis Center (known as FS-ISAC), rising risk drivers for firms in the sector in 2023 and the years ahead include artificial intelligence, commoditized malware-as-a-service, and rampant cryptocurrency cybercrime. Threat actors aren’t slowing down, especially given their immense success targeting the sector.

The Financial Impacts from Incidents & Data Breaches

The cost of data breaches for financial services firms is astounding. Per research by Cybersecurity Ventures, the cost of cybercrime is predicted to hit $8 trillion in 2023 and grow to $10.5 trillion by 2025, and continue to rise thereafter. And according to Accenture, financial services firms face an average cost from attacks that is 40% higher than all other sectors and is snowballing from $3T to $5T over two short years. Per Ponemon’s Cost of a Data Breach report, an average size incident of just 2000 to 102,000 records costs a financial services organization $6M per occurrence, a nearly 50% higher cost than most other sectors.

Operational disruptions from attacks like ransomware cost millions to remediate. They halt services, introduce fraud risks and erode customer trust. Even with cyber insurance, financial companies are often left paying heavy out-of-pocket expenses due to policy restrictions or coverage limits. Most pass 60% of total breach costs to consumers through price hikes, fees or higher interest rates according to studies.

Larger financial losses from data breaches and cyber incidents in finance are also common. A breach at Paypal affected nearly 35,000 clients, and as is common over the last few years, faces a class-action lawsuit for negligence for “failing to adequately safeguard the personal information of its users.” They’re just an example from many; fines and class-action losses continue to hit breached firms in the sector, with another $80M in fines and $190M settlement for Capital One for a single data breach. For large mega breaches like these, total costs reported by Ponemon average $200M-400M and even surpass $1 billion for mega breaches in the sector of 20+ million records.

Incidents and data breaches have disastrous medium and long-term financial effects. Publicly listed firms had an average 7.5% fall in the value of their stocks and an average market cap loss of $5.4 billion after an incident. It took these stock values at least 46 days to recover (in the cases they actually did) and return to their levels from prior to the breach. These incidents also have a knock-on effect that impacts the entire supplier chain for the company, increasing losses up to 26 times overall.

Customers expect businesses to protect their personal information and will just move to a rival if enterprises can’t guarantee data protection. Further, a breach of client confidence caused by weak security measures or a data breach has a demonstrable impact on customer dissatisfaction and losses connected with the company. Per Ponemon, every average incident costs an organization over $1.4M in business losses. And regulators and lawmakers are taking notice of the dissatisfaction over continuing incidents involving their constituents.

Ever-Increasing Regulatory Scrutiny for Financials

Amidst the escalating cybersecurity landscape, financial institutions must navigate an increasingly complex web of regulations. Financial institutions have always faced stringent regulatory requirements, but requirements are exponentially expanding. Global laws like GDPR started the trend, with state laws like the California Consumer Privacy Act and California Privacy Rights Act (CCPA and CPRA, respectively) surging. A number of states like Colorado, Utah, and Virginia have already passed laws, with similar legislation expected from Connecticut, Louisiana, Texas, and Nevada shortly.

Sector-specific laws are also increasing in scope. For example, the three federal bank regulatory agencies in the United States, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (known as the Board), and the Federal Deposit Insurance Corporation (FDIC), approved a strict rule that requires notification and a 36 hour timeline in which banks must issue the notification of a significant incident. Similarly, the New York Department of Financial Services (NYDFS) has in recent years repeatedly levied directives and guidance on financial institutions, and their suppliers in a similar vein. And a flurry of new laws and directives just over the past year globally and at both the state and federal level in the United States have rapidly added more complexity and requirements for financial services institutions.

Authorities are adopting an increasingly strict stance on data privacy and cybersecurity compliance, including targeting executives and board members, believing they are ultimately responsible for ensuring security and data protection are top priorities. The Federal Trade Commission is issuing directives making CEOs personally accountable for cybersecurity within their company. Regulators are also taking actions directly against companies, such as Austria revoking one company’s ability to process citizens’ personal data due to violations of data protection laws. 

Regulators are finding this approach to be effective optically for their constituents and to forcefully drive change at businesses under their purview. It’s no wonder the Federal Deposit Insurance Company has stated it “will continue to use its authorities to battle” threats and get banks to improve their cyber resilience. Many institutions have not taken the time to capture these requirements. This is reflected in the research by the Banking Policy Institute’s technology policy division, known as BITS, reporting that CISOs have spent upwards of 40% of their time resolving numerous regulatory agency requirements. 

Financial institutions must ensure they have a deep understanding of these regulations and develop robust incident response plans that encompass the legal and regulatory requirements specific to the financial services industry. This growing challenge demands a modernized strategy beyond just standard security measures and outdated approaches. Companies need a proactive security culture, extensive testing of incident response processes tailored to specific threats, and procedures that are actively used and continuously improved.

Ditch the Reactive Approach & Join the Modern Era

Given these concerning patterns, financial institutions need to move beyond basic adherence to compliance measures and laws and place greater emphasis on building a resilient approach to incident response to effectively mitigate the risk of incident impacts. This requires allocating resources towards fortified cybersecurity defenses, engaging more frequently in simulations and exercises, integrating automated systems purpose-built for cybersecurity incident management, and establishing processes for reporting and notifying data breaches within tight deadlines.

To that end and for good reason, the ECB is one example of a regulatory body forcing the 111 banks it supervises to run cyber stress tests to assess how they would react. Since the Russian invasion of Ukraine, institutions worldwide have seen a marked increase in attacks. In addition, given the impact of the Ion Markets attack, they want to make sure organizations are prepared to respond. Further, they want to determine if additional regulations are needed to get financial institutions and their suppliers to proactively get secure. This isn’t limited to Europe–regulators worldwide are following suit.

To address these unique challenges, financial services organizations must embrace a proactive and comprehensive approach to incident response that goes beyond conventional measures. Keeping pace with evolving threats necessitates the use of purpose-built incident notification systems and automation for data breach response. These technologies empower institutions to effectively tackle the spectrum of potential attacks while ensuring compliance with pertinent legal requirements specific to the financial services industry. By leveraging automation, response times are accelerated, the risk of human error is minimized, response plans are diversified to address a wide range of attacks, and compliance obligations are met while safeguarding legal privileges. Scalability and customization are crucial features for the approach, as they enable organizations of all sizes to tailor their incident response to their unique needs.

Deploying this approach presents measurable advantages. Leveraging a reduction in factors like the typical expenses incurred during a data breach, the average duration taken to detect and manage breaches, and the organization’s capability to meet legal and regulatory obligations can demonstrate the effectiveness of investing in this methodology. It is crucial for top executives to strategically define the business needs for such an approach, even amid the obstacles leaders face comprehending cybersecurity matters and determining reporting intervals.

The financial services sector faces an ever-growing cyber threat landscape. The escalating frequency and impacts from these attacks necessitate the implementation of strong, proactive cybersecurity strategies encompassing the use of automated incident response systems, data breach notification and reporting systems, as well as frequent cybersecurity exercises to prepare for the typical attacks faced by organizations in the sector. By adopting such an approach, financial institutions can effectively alleviate the financial, regulatory, and operational repercussions associated with these attacks, while simultaneously prioritizing the protection of customer data and safeguarding the trust and confidence of their clients. Preventing incidents altogether is impossible; proactively preparing to manage and minimize the impacts from the inevitable incident should be every team’s focus.

The future is fast approaching, and financial services must adapt to survive. The era of reactive cyber response is over. Today, resilience is what matters most.